Next step is to load the WS_UserManagement.cs file, get its AST, find the Login Method and add that method to the AClass Ast

The generated code will look like this:

One of the best parts of AST manipulation is that we can easily use on AST to create another one.

In this case we are going to use the WebService’s Login method to create the ‘wrapper/proxy login method’

The script shown above will create this script:

which is exactly what I’m trying to do: a C# based proxy for a web service :)

To quickly test it we can add a method that invoke that wrapper method:

which will create this code:

which when executed will show the login Id on the Log Viewer:

Here is an interesting twist, which also shows the power of this technique to script unit tests.

Since the Login method (in HacmeBank) is vulnerable to SQL injection, we can code a payload on via the AST generation:

which will result in the code and execution result of:

Note the SQL injection error in the Log :)

We can also use a payload that returns an SQL error with a value (like jv’ and 1 = @@version-- )

where we will get this script and execution result (see Log Viewer)

and this traffic in fiddler:

As you can see this is a real powerful technique where I was able to use AST manipulation to programmatically create a Proxy Method for a particular WebService’s WebMethod.

Finally, just to show the interactivity of this type of development (using the GUI explained in Creating a REPL editor that is linked to a Code editor ), this is what my GUI looked like after running the 'AST generated script with the SQL Injection' (note that right-hand-side code editor is populated, compiled and executed in real-time)